Re: Gothcas of changing the IP Address of an Authoritative DNS Server

[bmanning () vacation karoshi com]

On Wed, Dec 14, 2005 at 10:02:56AM -0500, Joe Abley wrote:
> On 13-Dec-2005, at 16:28, Steven M. Bellovin wrote:
>
> > In message  
> > <9828b780512131312q220a5ea6x97a6167e33c654a0 () mail gmail com>, Sam Cr
> > ooks writes:
> > > I would think you would want to drop your DNS record TTLs for all
> > > domains being moved to something very low several days before the
> > > switch-over period.
> >
> > More precisely, you want to change the TTL on the NS records, which  
> > are
> > in the parent zone.  If you're keeping the name but changing the
> > address, worry about the A records, too.
>
> You also want to check all the registries which are superordinate to  
> zones your server is authoritative for, and check that any IP  
> addresses stored in those registries for your nameserver are updated,  
> otherwise you will experience either immediate or future glue madness.
>
> A conservative approach to this kind of transition is to arrange for  
> your nameserver (or different nameservers hosting the same data) to  
> respond on both the old and new addresses, and to continue in that  
> mode until you see no queries directed at the old address for some  
> safe-seeming interval (bearing in mind TTLs and cached records,  
> alluded to by Steven and Sam).

        currently in the middle of such a safe, conservative 
        transition leads me to believe that there will -NEVER-
        be a point w/ there are no queries to the old address.
        (he says, 24 months into a transition...)  The right 
        tactic is to make the change, based on 2x the TTL of the SOA.

--bill
> Joe